HTTP协议传输的数据都是未加密的，也就是明文的，因此使用HTTP协议传输隐私信息非常不安全，为了保证这些隐私数据能加密传输，于是网景公司（Netscape Communications Corporation）设计了SSL（Secure Sockets Layer）协议用于对HTTP协议传输的数据进行加密，从而就诞生了HTTPS。本文将介绍在Cacti中启用https登录。

1. 安装mod_ssl软件包

   yum install -y mod_ssl
   

2. 生成服务器私钥ca.key

   openssl genrsa -out ca.key 2048
   

3. 用私钥ca.key文件生成证书请求文件ca.csr

   openssl req -new -key ca.key -out ca.csr
   

   按照提示完成相关信息：

   You are about to be asked to enter information that will be incorporated
   into your certificate request.
   What you are about to enter is what is called a Distinguished Name or a DN.
   There are quite a few fields but you can leave some blank
   For some fields there will be a default value,
   If you enter '.', the field will be left blank.
   -----
   Country Name (2 letter code) [XX]:CN
   State or Province Name (full name) []:Hunan
   Locality Name (eg, city) [Default City]:Changsha
   Organization Name (eg, company) [Default Company Ltd]:CNCONN Company
   Organizational Unit Name (eg, section) []:NetBU
   Common Name (eg, your name or your server's hostname) []:cacti
   Email Address []:netadmin@cnconn.com
   
   Please enter the following 'extra' attributes
   to be sent with your certificate request
   A challenge password []:123456
   An optional company name []:
   

   如果找第三方公司签名，请把csr文件发给第三方公司签名。以下第4步是自签设定。

4. 生成证书文件ca.crt

   openssl x509 -req -days 700 -in ca.csr -signkey ca.key -out ca.crt
   

   可以见到生成成功的提示信息：

   Signature ok
   subject=C = CN, ST = Hunan, L = Changsha, O = CNCONN Company, OU = NetBU, CN = cacti, emailAddress = netadmin@cnconn.com
   Getting Private key
   

   如果是找第三方公司签名，第三方公司签名后会把crt文件发给你。

5. 复制证书文件到对应的目录

   cp ca.crt /etc/pki/tls/certs
   cp ca.key /etc/pki/tls/private/ca.key
   cp ca.csr /etc/pki/tls/private/ca.csr
   

6. 修改Apache SSL配置文件

   vi /etc/httpd/conf.d/ssl.conf
   

   找到如下两行配置文件：

   SSLCertificateFile /etc/pki/tls/certs/localhost.crt
   SSLCertificateKeyFile /etc/pki/tls/private/localhost.key
   

   修改为：

   SSLCertificateFile /etc/pki/tls/certs/ca.crt
   SSLCertificateKeyFile /etc/pki/tls/private/ca.key
   

7. 修改防火墙配置

   firewall-cmd --permanent --add-service=https
   firewall-cmd --permanent --remove-service=http
   firewall-cmd --reload
   firewall-cmd --permanent --list-all
   
   

8. 重启http服务

   systemctl restart httpd
   

9. 服务器一般是放置在硬件网络防火墙DMZ区，如是，还需开放硬件网络防火墙的权限。